In the wake of the recent Newtown shootings and the Boston Marathon bombings, a lingering question for health providers has been whether they ever have a duty, or the option, to disclose information derived from patient encounters if that information could help prevent an attack or a violent crime, help apprehend a suspect, or solve a criminal investigation.

Health care lawyers are frequently confronted with questions from hospitals, physicians and other providers about how to navigate and apply the conflicting legal and ethical duties to maintain and protect patient privacy rights but also to protect third parties and the general public from harm. Can medical groups proactively report to the police that a patient is mentally unstable and may have access to guns? May hospitals release information about victims of an attack to the police without consent?

This article summarizes current federal and Massachusetts law on the circumstances in which Massachusetts health care providers are authorized to share patient information with law enforcement and public safety personnel and agencies, notwithstanding patient privacy laws. This article also identifies some shortcomings under current Massachusetts law, and proposes a legislative solution to the confusion between HIPAA and a lack of clarity under existing applicable Massachusetts law.

A. Federal HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule established by the Office of Civil Rights (“OCR”) of the United States Department of Health and Human Services (“HHS”) does identify a variety of permissible urgent situations in which a health care provider may disclose patient health information.

Notwithstanding this fact, since the effective date of the HIPAA Privacy Rule in 2003, providers have had a greater reluctance to talk or report facts to law enforcement, either because of a failure to properly understand or apply HIPAA or a fear of liability.

Criminal and civil penalties can be imposed on both individuals and organizations under HIPAA for impermissible disclosures, but there are no such statutory penalties for failing to make disclosures to law enforcement or government agencies that HIPAA authorizes. Additionally, many states, including Massachusetts, have very strong and broadly established patient privacy rights over additionally protected areas of sensitive information but less clearly delineated exceptions for disclosures without patient consent for public safety and law enforcement reasons.Although it establishes a minimum level of privacy rights under federal law, the HIPAA Privacy Rule does not pre-empt any state laws that grant greater protections over patient health information. Thus, health lawyers must help provider clients harmonize the application of a HIPAA provision with a state law that may be more protective of patient health information.For example, HIPAA permits a hospital to release a patient record including HIV test results or psychiatric treatment communications upon a subpoena alone and without written patient authorization or a court order, if the discovering party can show it has meet certain procedural requirements ensuring that proper notice has been given to the patient’s counsel and no objections or motions for protective orders have been filed. However, Massachusetts statutes covering HIV test results or psychiatric treatment communications – more protective of patient rights and thus not pre-empted by HIPAA – require the presentation of either a written patient consent or a court order before that portion of a patient record may be disclosed.

OCR, in the Privacy Rule, attempted to strike the right balance between patient privacy and the need to protect public safety, and in doing so permits the use and disclosure of protected health information, without an individual’s authorization or permission, for twelve national priority purposes. OCR has noted that these disclosures are permitted, although not required, by the Privacy Rule in recognition of the important uses made of health information outside of the health care context. For each public interest purpose, OCR included specific conditions or limitations in the Privacy Rule to strike the right balance between the individual privacy interest and the public interest need for such information.

Among these 12 national priority purposes, the HIPAA Privacy Rule permits non-patient consented disclosures in the following circumstances:

To assist law enforcement in certain extreme situations

To avert serious threats to health or public safety

To protect national security

To protect the public health

1. Assist Law Enforcement

HIPAA permits providers to disclose patient health information without permission from the patient for a law enforcement purpose to a law enforcement official in the following situations:

Providers can disclose health information to comply with federal or state reporting laws, including laws that require the reporting of certain types of wounds or other physical injuries.

In response to a law enforcement official’s request for information for the purpose of identifying or locating a suspect, fugitive, material witness, missing person, a provider may disclose the following:

However, DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue can only be released upon issuance of a court order, warrant, or written administrative request.

In response to a law enforcement official’s request for patient information about an individual who is or is suspected to be a victim of a crime if the individual is incapacitated, or there are other emergency circumstance, as long as:

(A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person, other than the victim, has occurred, and such information is not intended to be used against the victim;

(B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

(C) The disclosure is in the best interests of the individual as determined by the provider, in the exercise of professional judgment.

2. To Avert Serious Threats to Health or Public Safety

The HIPAA Privacy Rule also permits providers, acting consistent with applicable law and standards of ethical conduct, to disclose patient health information without consent where the provider in good faith believes the use or disclosure:

Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and is to a recipient reasonably able to prevent or lessen the threat, including the target of the threat; or

Is necessary for law enforcement authorities to identify or apprehend an individual:

(A) Because of a statement by an individual admitting participation in a violent crime that the provider reasonably believes may have caused serious physical harm to the victim; or

(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

The information provided must not be more than what meets the minimum necessary standard. For purposes of identifying or apprehending an individual, the information authorized to be disclosed is limited to the same eight basic identifying items that can be disclosed in response to a law enforcement official’s request for information for the purpose of identifying or locating a suspect, fugitive, material witness, missing person.

HIPAA presumes that the disclosing provider in these instances has acted in good faith with regard to the belief of the necessity for such public safety disclosures.

3. National Security and Intelligence Activities

Providers may also disclose protected health information to authorized federal officials under the HIPAA Privacy Rule for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act and implementing authority. Those activities can include efforts to create counter-terrorism intelligence databases, including health records. Thus, the reporting of possible or suspected terrorists or terrorist activity by a provider is not necessarily prohibited under HIPAA and a provider meeting the minimally necessary standard could share its suspicions with federal and state law enforcement agencies without violating the HIPAA. The bigger question is whether such a disclosure would run afoul of more protective state laws protecting patient privacy, and whether a provider could be subject to a lawsuit for invasion of privacy or patient rights under Massachusetts law.

4. Public Health Protection

The HIPAA Privacy Rule also allows unauthorized disclosures of protected health information to public health authorities to carry out their mission to protect the public’s health and safety.

The Privacy Rule permits – but does not require – providers to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for a variety of widely accepted public health functions such as: the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. Also, covered entities may, at the direction of a public health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority. Covered entities who are also a public health authority may use, as well as disclose, protected health information for these public health purposes.

Generally, covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose. However, covered entities are not required to make a minimum necessary determination for public health disclosures that are made pursuant to an individual’s authorization, or for disclosures that are required by other law. Since most public health disclosures are made by providers under specific mandatory reporting laws established by both federal and state agencies the minimum necessary rule under HIPAA is often not applicable when a provider is fulfilling a mandatory reporting obligation. Furthermore, the HIPAA Privacy Rule also allows covered entities to reasonably rely on a minimum necessary determination made by the public health authority when it initiates a request for protected health information.

Permissible public health disclosures under HIPAA also cover mandatory or suggested disclosures to authorized third parties who have a need to know, such as to the police in the case of known or suspected abuse or neglect of children or the elderly, or victims of domestic violence or rape. Similarly, if state law allows providers to warn third parties of exposure to a communicable disease HIPAA also allows the same disclosure as necessary to carry out public health interventions or investigations to prevent or control the spread of the disease.

B. New OCR Guidance

Following the Newtown tragedy, the HHS Office of Civil Rights published a letter to the nation’s healthcare providers in January, 2013 to make them aware of their ability under HIPAA to disclose information and their ethical “duty to warn” when they believe a patient poses a serious and imminent threat.

The OCR letter clarifies that the HIPAA Privacy Rule permits disclosure when a health care provider believes in good faith that a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. If the disclosure is made consistent with applicable law and standards of ethical conduct, the provider may alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. The provider is presumed to have such a good faith belief when the provider warns and discloses upon obtaining actual knowledge of facts from interaction with the patient or in reliance on a credible representation by a person with apparent knowledge or authority, such as a friend or family member of the patient.

The OCR letter further states that a health care provider may disclose patient information, including information from mental health records, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm.

Thus, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member or others who may be able to intervene to avert harm from the threat.

Such disclosures are not only permitted by HIPAA, but are also advisable under state tort laws following the duty to warn standard first recognized by the 1974 California Supreme Court in Tarasoff v. the Regents of the University of California. Tarasoff established a common law duty upon health care providers to warn potential victims and the authorities, notwithstanding patient privacy rights, when an individual makes a credible threat of violence. The Tarasoff rule can be best summarized in its most often quoted passage: “The protective privilege ends where the public peril begins . . . .”

C. Massachusetts Law on Patient Privacy and Disclosure

In sharp contrast,the scope of permitted disclosures to warn third parties or avert possible imminent harm to possible victims is more limited under Massachusetts law. Furthermore, Massachusetts law articulates very stringent privacy and confidentiality protection and duties to maintain patient confidentiality, with only a handful of stated exceptions related to public safety. Unlike other state’s patient privacy laws, Massachusetts does not have a single comprehensive statutory act governing all facets of health care information confidentiality and permitted disclosure. Instead, the law of patient privacy and confidentiality in Massachusetts is comprised of a patchwork of different sources: constitutional, statutory, common law, and a variety of state agency regulations.

Generally, the right of privacy in Massachusetts is either implicitly or explicitly recognized and protected under the state constitution, Opinion of Justices, 375 Mass. 795, 806-9 (1978), by common law, Commonwealth v. Wiseman, 356 Mass. 251 (1969), and by statute. Massachusetts Gen. Laws c. 214, § 1B provides for a general right to privacy (“[a] person shall have a right against unreasonable, substantial or serious interference with his privacy”) and authorizes a civil tort action to recover damages for any interference with that privacy right.

Specific to health information, Mass. Gen. Laws c. 111, §§ 70 and 70E (the “Massachusetts Patient’s Bill of Rights”), and Mass. Gen. Laws c. 112 § 12CC , and a variety of other statutes and licensing board regulations, establish the right of patients of Massachusetts hospitals, licensed facility, physicians and other practitioners to the confidentiality of all records and communications.

In addition, the Massachusetts Supreme Judicial Court has ruled that physicians have an affirmative duty to maintain the confidentiality of patients’ medical information, and a breach of patient confidentiality can result in tort liability for the physician as well as the discovering party. Alberts v. Devine, 395 Mass. 508 (1985).

The Massachusetts Legislature has also implicitly recognized the general legal and ethical obligation not to release medical information without patient consent by enacting several statutes establishing qualified evidentiary privileges protecting certain medical information and by authorizing and immunizing particular non-consensual disclosures. These statutes (and the cases interpreting them) comprise the body of medical information confidentiality laws in Massachusetts.

Generally, absent written patient consent or an appropriate court order or subpoena, Massachusetts health providers are not explicitly permitted to divulge medical information to the police or other law enforcement agencies.

Under the Massachusetts statutory version of the Tarasoff rule, Mass. Gen. Laws c. 123, § 36B, licensed mental health professionals have a professional duty to take reasonable precautions to warn or protect a potential victim or victims of a patient (and are granted immunity against invasion of privacy claims) in the following circumstances:

The patient has communicated to the licensed mental health professional an explicit threat to kill or inflict serious bodily injury upon a reasonably identified victim or victims and the patient has an apparent intent and ability to carry out the threat or,

The patient has a history of physical violence which is known to the practitioner and the practitioner has a reasonable basis to believe that there is a clear and present danger that the patient will attempt to kill or inflict serious bodily injury against a reasonably identifiable victim or victims.

In such instances, licensed mental health professionals are authorized to disclose confidential patient communications by taking one or more of the following reasonable precautions:

Communicate the threat to the reasonably identified victim or victims;

Notify the appropriate law enforcement agency in the vicinity where the patient or potential victim resides;

Arrange for voluntary hospitalization, or initiates proceedings for involuntary commitment.

In situations where Massachusetts providers, other than a mental health practitioner, believe that failure to disclose patient information will result in serious danger to the patient or others, they have tended to make the disclosure. Even without explicit statutory authority these disclosures are usually made by hospitals, physicians and other non-psychotherapist providers from a risk management and general common law standpoint to disclose limited information to prevent serious and imminent danger. The Massachusetts Supreme Judicial Court has recognized a “serious danger exception” to a physician’s common law duty to maintain patient confidentiality.

Massachusetts providers have generally disclosed only that information necessary to prevent serious danger, but there have been many instances where police departments, hospitals and other providers have disputed whether and to what extent such disclosures are allowed without a court order or written patient authorization.

While the right of privacy is not absolute under Massachusetts law and it is the unreasonable interference that is actionable, the specific statutory exceptions for mandatory reporting (e.g. bullet wounds) and permissible public safety disclosure are confusing under the variety of applicable Massachusetts legal sources, and as noted above beyond psychotherapists are not governed explicitly by a state statutory exception for hospitals and physicians to report instances of serious and imminent danger and granting them immunity for doing so.

Massachusetts is in need of comprehensive, consolidated legislation on the balance between patient privacy rights and permissible and necessary limited disclosures to protect the public. Such legislation should contain explicit statutory provisions applicable to all classes of providers, in order to delineate and provide clear guidance on what type of public safety disclosures are permitted, and in what circumstances.

The Massachusetts Legislature could ease the confusion among providers and lessen the risk of future preventable tragedies by having Massachusetts law adopt and follow the permissible HIPAA public safety exceptions described above, and grant immunity under state law for providers who follow these HIPAA permissive disclosures. HIPAA’s limited pre-emption of state law still leaves it to state governments to identify when they want to be more protective of patient rights and limit disclosures that may be otherwise permitted under HIPAA Providers in Massachusetts would be better served by such a state statute law, as it would diminish the current uncertainty and case-by-case effort hospitals, medical practices and other providers must regularly engage in when they balance their legal and ethical duties to patients against the safety of the general public.

Bill Mandellis a founding member and co-managing partner of Pierce & Mandell, P.C.. He represents health care providers in regulatory and transactional matters, including practice start-ups, buy-ins and buy-outs, hospital-physician relationships, risk management, professional contracts and regulatory compliance. He also represents non-profit organizations, corporate executives, start-ups, and small and family businesses. He serves frequently as a neutral hearing officer and advisor to medical staff hearing panels for medical staff disciplinary action and peer review appeals.